The variables in $_SERVERare not really part of PHP, which is why you won't find them in the PHP documentation. They are prepared by the Web server which passes them on to the scripting language.

中的变量$_SERVER实际上并不是 PHP 的一部分，这就是为什么您不会在 PHP 文档中找到它们的原因。它们由 Web 服务器准备，然后将它们传递给脚本语言。

As far as I know, the X-Requested-Withis sent by the Ajax functions of most major Frameworks but not all (Dojo, for example, added it only two years ago: #5801). As such, and taking into considerations @bobince' comments, it's safe to say it's not generally a 100% reliable method to determine whether a request is an AJAX request or not.

据我所知，X-Requested-With由大多数主要框架的 Ajax 函数发送，但不是全部（例如，Dojo 仅在两年前添加：#5801）。因此，考虑到@bobince 的评论，可以肯定地说，确定请求是否为 AJAX 请求通常不是 100% 可靠的方法。

The only 100% secure way is to send a pre-defined flag (e.g. a GET variable) along with the request and for the receiving page to check for the presence of that flag.

唯一 100% 安全的方法是随请求一起发送预定义的标志（例如 GET 变量），并让接收页面检查该标志是否存在。

don't forget that you can easily spoof any header with cURL like so

不要忘记，您可以像这样轻松地使用 cURL 欺骗任何标头

curl_setopt($ch,CURLOPT_HTTPHEADER,array("X-Requested-With : XMLHttpRequest"));

$_SERVERkeys that start with HTTP_are generated from HTTP request headers. In this case, the X-Requested-Withheader.

$_SERVER开头的键HTTP_是从 HTTP 请求头生成的。在这种情况下，X-Requested-With标题。

This header is a standardization-in-progress from all of the AJAX libraries out there.

这个头文件是所有 AJAX 库中正在进行的标准化。

It won't be documented in the php documentation per-se, but rather in the different AJAX libraries that set this header. Common libraries do sent this header: jQuery, Mojo, Prototype, ...

它本身不会记录在 php 文档中，而是记录在设置此标头的不同 AJAX 库中。公共库确实发送了这个头文件：jQuery、Mojo、Prototype、...

Usually these library will set the header using

通常这些库会使用

xhrobj.setRequestHeader("X-Requested-With", "XMLHttpRequest");

Here's a quick function with example usage:

这是一个带有示例用法的快速函数：

function isXmlHttpRequest()
{
    $header = isset($_SERVER['HTTP_X_REQUESTED_WITH']) ? $_SERVER['HTTP_X_REQUESTED_WITH'] : null;
    return ($header === 'XMLHttpRequest');
}

// example - checking our active call
if(!isXmlHttpRequest())
{
    echo 'Not an ajax request';
}
else
{
    echo 'is an ajax request';
}

echo $_SERVER['HTTP_X_REQUESTED_WITH'];

What'd you expect from such a code? Assume you're running it directly from the browser, not using AJAX request. So, how come this header could be set?

你对这样的代码有什么期望？假设您直接从浏览器运行它，而不是使用 AJAX 请求。那么，这个标题是如何设置的呢？

Well the Answer to the Ultimate Question of Life, the Universe, and Everything - an HTTP sniffer! Get yourself one and forget of printing $_SERVER variable.

好吧，这是生命、宇宙和一切终极问题的答案——一个HTTP 嗅探器！给自己一个，忘记打印 $_SERVER 变量。

Firebug has one, or you may want to use Fiddler HTTP proxy or LiveHTTPHeaders Mozilla plugin. I'm bored to make links but it easily googled.

Firebug 有一个，或者您可能想使用 Fiddler HTTP 代理或 LiveHTTPHeaders Mozilla 插件。我很无聊做链接，但很容易用谷歌搜索。

So, with HTTP sniffer you can be sure of any HTTP header ever.

因此，使用 HTTP 嗅探器，您可以确定任何 HTTP 标头。

Note that you can't prevent any "direct access" by using XHR, as every HTTP request to your server is already "direct".

请注意，您无法使用 XHR 阻止任何“直接访问”，因为对服务器的每个 HTTP 请求都已经是“直接”的。

You can also blame some browser bugs - see this question and its solution for Firefox

您也可以归咎于一些浏览器错误 - 请参阅此问题及其针对 Firefox 的解决方案

Firefox does not preserve custom headers during Ajax request redirect: an ASP.NET MVC solution

Firefox 在 Ajax 请求重定向期间不保留自定义标头：ASP.NET MVC 解决方案

IE also having caching issuewhich is more serious then detection of request method.

IE 也有缓存问题，这比检测请求方法更严重。

You anyway needs to add cache busters to avoid caching, so why not use another flag to specify the ajax call - or more better you can use different URL like http://ajax.mysite.com/endpoint/sevice?params

您无论如何都需要添加缓存破坏器以避免缓存，那么为什么不使用另一个标志来指定 ajax 调用 - 或者更好的是您可以使用不同的 URL，如http://ajax.mysite.com/endpoint/sevice?params

The best solution to make sure if an HTTP request is truly sent via AJAX is using SESSION checking , you send session_id in a get parameter and you check this session if it's allowed or not !

确保 HTTP 请求是否真正通过 AJAX 发送的最佳解决方案是使用 SESSION 检查，您在 get 参数中发送 session_id 并检查此会话是否允许！

$headers = apache_request_headers();
$is_ajax = (isset($headers['X-Requested-With']) && $headers['X-Requested-With'] == 'XMLHttpRequest');

I agree Pekka. There is no reliable native method between front side and back side that can auto-detect if a client is really calling an endpoint using AJAX.

我同意佩卡。前端和后端之间没有可靠的本地方法可以自动检测客户端是否真的使用 AJAX 调用端点。

For my own use, I have few main ways to check if a client is requesting one of my endpoint:

对于我自己的使用，我有几种主要方法来检查客户端是否正在请求我的端点之一：

1. I can use HTTP_X_REQUESTED_WITH when I'm not in cross domain context.

2. instead of checking "X-requested-with", I'm checking $_SERVER['HTTP_ORIGIN'] (that is sent from AJAX request) intending to handle cross domain permissions. Most of time, the main reason why I'm checking if a request is an AJAX request, is especially because of cross domain permissions, using this PHP code: header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']); // If this "HTTP_ORIGIN" is in my white list

3. my APIs expect from the client to explicit, in few cases, the datatype (JSON, HTML etc.) into a GET or a POST var. For example, I check if $_REQUEST['ajax'] is not empty or equal to an expected value.

1. 当我不在跨域上下文中时，我可以使用 HTTP_X_REQUESTED_WITH。

2. 我没有检查“X-requested-with”，而是检查 $_SERVER['HTTP_ORIGIN'] （从 AJAX 请求发送）打算处理跨域权限。大多数时候，我检查请求是否是 AJAX 请求的主要原因，尤其是因为跨域权限，使用此 PHP 代码： header('Access-Control-Allow-Origin: '.$_SERVER[' HTTP_ORIGIN']); // 如果这个“HTTP_ORIGIN”在我的白名单中

3. 我的 API 期望客户端在少数情况下将数据类型（JSON、HTML 等）显式转换为 GET 或 POST 变量。例如，我检查 $_REQUEST['ajax'] 是否不为空或等于预期值。